Configure SAML SSO with OneLogin

This guide explains how to configure Single Sign-On (SSO) using OneLogin as your Identity Provider for Baserow.

SSO is available on the Baserow Advanced and Enterprise plan. You must have a valid license activated to configure these settings.

Overview

Connecting OneLogin allows your organization to manage Baserow access centrally.

To set this up, you will create a “SAML Custom Connector” application in OneLogin and map the user fields (email and name) to Baserow.

Prerequisites

  • Baserow: You must be an Instance Admin on a self-hosted plan.
  • OneLogin: You must have administrative access to create applications.

Phase 1: Create the Application in OneLogin

  1. Log in to your OneLogin Administration panel.
  2. Navigate to Applications -> Applications in the top menu.
  3. Click Add App.
  4. In the search bar, type SAML Custom Connector.
  5. Select the result labeled SAML Custom Connector (Advanced).
  6. Display Name: Enter Baserow and make sure Visible in portal is on.
  7. Icons: (Optional) Upload the Baserow logo and add a description to the new SAML connector.
  8. Click Save.

Add SAML Custom Connector (Advanced)

Phase 2: Configure SAML settings

You need to tell OneLogin where to send the authentication data.

  1. Get Baserow URLs:
    • Open a new tab and go to your Baserow Admin tools -> Authentication -> + Add Provider -> SSO SAML Provider.
    • Copy the Single Sign On URL and Default Relay State URL.
  2. Configure OneLogin:
    • In OneLogin, go to the Configuration tab of your new app.
    • Paste the Baserow URLs into the corresponding OneLogin fields:
OneLogin field Value from Baserow
RelayState Paste Default Relay State URL
Audience (EntityID) Paste Single Sign On URL
Recipient Paste Single Sign On URL
ACS (Consumer) URL Validator* Paste Single Sign On URL (See Regex note below)
ACS (Consumer) URL* Paste Single Sign On URL

Learn more: Get Baserow URLs and manage SSO providers

The regex validator

The ACS (Consumer) URL Validator field requires a Regular Expression. This field is used by OneLogin to ensure that they POST the response to the right place. Creating a secure ACS (Consumer) URL Validator value is key to the security of the connector. If setup is misconfigured, an attacker could forge Authentication Requests to serviceprovider.com (SP).

If your URL is

https://baserow.io/api/sso/saml/login/

You must escape the slashes and dots. Example Regex:

^https:\/\/baserow\.io\/api\/sso\/saml\/login\/$

Ensure you include the start (^) and end ($) anchors. For information on OneLogin SAML Test Connector, visit this link.

Configure OneLogin SAML settings in Baserow

SAML settings (General)

Scroll down and ensure these specific settings are selected:

  • SAML initiator: OneLogin
  • SAML nameID format: Email
  • SAML encryption method: AES-128-CBC
  • SAML issuer type: Specific
  • SAML signature element: Both
  • Generate AttributeValue tag for empty values: ☑
  • SAML sessionNotOnOrAfter: 1140

Once you’re done, click Save to store the app settings.

OneLogin SAML settings (General)

Phase 3: Map user attributes (Parameters)

You must specify which OneLogin user details to send to Baserow.

  1. Go to the Parameters tab in OneLogin.
  2. Click the (+) Plus icon to add a new parameter.
  3. Add the following three parameters exactly as listed. Ensure you check “Include in SAML assertion” for each one.
Field Name (Baserow Variable) Value (OneLogin Profile Field)
user.email Email
user.first_name First Name
user.last_name Last Name
  1. Click Save after adding each parameter.

Map OneLogin user attributes for Baserow

Phase 4: Connect OneLogin to Baserow

Now export the metadata from OneLogin and import it into Baserow.

  1. In OneLogin, go to the More Actions dropdown menu (top right).
  2. Select SAML Metadata.
  3. This will download an XML file to your computer.
  4. Open the file with a text editor (Notepad/TextEdit) and copy the content.
  5. Return to your Baserow Add SAML Provider modal.
    • Name: OneLogin
    • Metadata: Paste the XML content.
  6. Click Save.

Learn how to add a SAML Provider in Baserow

Connect OneLogin to Baserow

Phase 5: Assign users

Users cannot log in until you assign them to the app in OneLogin.

  1. In OneLogin, go to Users -> Users.
  2. Select a user.
  3. Go to the Applications tab in their profile.
  4. Click the (+) icon and select Baserow.
  5. Click Continue.

Assign users in OneLogin

Troubleshooting & Common Issues

“Regular Expression” Error

If OneLogin rejects your “ACS URL Validator,” ensure you have escaped the dots (\.) and slashes (\/) in your URL. Use a tool like Regex101 to verify if needed.

Frequently Asked Questions (FAQ)

Does Baserow support SCIM with OneLogin?

Baserow supports Just-In-Time (JIT) provisioning. Accounts are created automatically when a user logs in for the first time. We do not currently support SCIM for automatic deprovisioning (deleting users) or syncing group memberships.

Can I disable password login?

Yes. Once OneLogin is verified to be working, you can disable “Email and Password” authentication in the Baserow Authentication settings to enforce SSO.

Related content

Still need help? If you’re looking for something else, please feel free to make recommendations or ask us questions; we’re ready to assist you.